Hacker says security flaw let him access any Facebook profile

The social network recently fixed a bug discovered by a developer who demonstrated how the loophole let him take over other people's accounts.

A security hacker recently found a flaw in a Facebook system that allowed developers to access anyone's Facebook account through app permissions.

Though Facebook has fixed this issue, Nir Goldshlager, a Web application security specialist who looks for these types of flaws professionally, found more app authorization bugs that need fixing, according to his blog. App permissions are what developers use to access the user data needed to run their apps. Users give them access permission when they install the apps.

"I found a couple more OAuth flaws in Facebook, just waiting for a fix to post about it," Goldshlager wrote in his blog, where he detailed his findings.

Facebook wouldn't comment on what other flaws Goldshlager may have found but did say the original bug he detected had not been taken advantage of by actual Facebook developers. The company didn't say when Goldshlager reported the flaw.

"We applaud the security researcher who brought this issue to our attention and for responsibly reporting the bug to our White Hat Program. We worked with the team to make sure we understood the full scope of the vulnerability, which allowed us to fix it without any evidence that this bug was exploited in the wild," a Facebook representative wrote in an e-mail to CNET. "Due to the responsible reporting of this issue to Facebook, we have no evidence that users were impacted by this bug. We have provided a bounty to the researcher to thank them for their contribution to Facebook Security."

The bug Goldschlager found allowed him to steal access tokens and gain full access to a profile as a developer. This included messages, pages management, ad management, private photos, and videos. This applied to profiles that didn't install extra apps because he could go through Facebook's built-in apps, like messenger, as well. The tokens for third-party apps didn't expire unless the victim changed his or her password, but the messenger app tokens for Facebook messenger never expired, he wrote.

Featured Video
This content is rated TV-MA, and is for viewers 18 years or older. Are you of age?
Sorry, you are not old enough to view this content.

Force Friday and the best of IFA 2015

Attention Jedi in training: today is Force Friday. Also, the best of IFA 2015, a new personal safety app explodes in popularity, and new 21.5-inch iMacs are coming.

by Jeff Bakalar